NEW YORK — Apple says Facebook can no longer distribute an app that paid users, including teenagers, to extensively track their phone and web use.

In doing so, Apple closed off Facebook’s efforts to sidestep Apple’s app store and its tighter rules on privacy.
The tech blog TechCrunch reported late Tuesday that Facebook paid people about $20 a month to install and use the Facebook Research app. While Facebook says this was done with permission, the company has a history of defining “permission” loosely and obscuring what data it collects.
“I don’t think they make it very clear to users precisely what level of access they were granting when they gave permission,” mobile app security researcher Will Strafach said Wednesday. “There is simply no way the users understood this.”
He said Facebook’s claim that users understood the scope of data collection was “muddying the waters.”
Facebook says fewer than 5 percent of the app’s users were teens and they had parental permission. Nonetheless, the revelation is yet another blemish on Facebook’s track record on privacy and could invite further regulatory scrutiny.

App Appears to Be Available for Android Phones

And it comes less than a week after court documents revealed that Facebook allowed children to rack up huge bills on digital games and that it had rejected recommendations for addressing it for fear of hurting revenue growth.
For now, the app appears to be available for Android phones, though not through Google’s main app store. Google had no comment Wednesday.
Apple said Facebook was distributing Facebook Research through an internal-distribution mechanism meant for company employees, not outsiders. Apple has revoked that capability.
TechCrunch reported separately Wednesday that Google was using the same privileged access to Apple’s mobile operating system for a market-research app, Screenwise Meter. Asked about it by The Associated Press, Google said it had disabled the app on Apple devices and apologized for its “mistake.”
The company said Google had always been “upfront with users” about how it used data collected by the app, which offered users points that could be accrued for gift cards. In contrast to the Facebook Research app, Google said its Screenwise Meter app never asked users to let the company circumvent network encryption, meaning it is far less intrusive.
Facebook is still permitted to distribute apps through Apple’s app store, though such apps are reviewed by Apple ahead of time. And Apple’s move Wednesday restricts Facebook’s ability to test those apps — including core apps such as Facebook and Instagram — before they are released through the app store.
Facebook previously pulled an app called Onavo Protect from Apple’s app store because of its stricter requirements. But Strafach, who dismantled the Facebook Research app on TechCrunch’s behalf, told the AP that it was mostly Onavo repackaged and rebranded, as the two apps shared about 98 percent of their code.

Traffic-Capturing Tools Are Only Supposed to Be for Trusted Partners

As of Wednesday, a disclosure form on Betabound, one of the services that distributed Facebook Research, informed prospective users that by installing Facebook Research, they are letting Facebook collect a range of data. This includes information on apps users have installed, when they use them and what they do on them. Information is also collected on how other people interact with users and their content within those apps, according to the disclosure.

Betabound warned that Facebook may collect information even when an app or web browser uses encryption.
Strafach said emails, social media activities, private messages and just about anything else could be intercepted. He said the only data absolutely safe from snooping are from services, such as Signal and Apple’s iMessages, that fully encrypt messages prior to transmission, a method known as end-to-end encryption.
Strafach, who is CEO of Guardian Mobile Firewall, said he was aghast to discover Facebook caught red-handed violating Apple’s trust.
He said such traffic-capturing tools are only supposed to be for trusted partners to use internally. Instead, he said Facebook was scooping up all incoming and outgoing data traffic from unwitting members of the public — in an app geared toward teenagers.
“This is very flagrantly not allowed,” Strafach said. “It’s mind-blowing how defiant Facebook was acting.”